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LOK SABHA 


The following Bills were introduced in Lok Sabha on 3rd August 2023:— 
Bitz No. 113 oF 2023 


A Bill to provide for the processing of digital personal data in a manner that recognises 
both the right of individuals to protect their personal data and the need to process 
such personal data for lawful purposes and for matters connected therewith or 
incidental thereto. 


BE it enacted by Parliament in the Seventy-fourth Year of the Republic of India as 
follows:— 


CHAPTER I 


PRELIMINARY 


1. (1) This Act may be called the Digital Personal Data Protection Act, 2023. Short title and 
commencement. 
(2) It shall come into force on such date as the Central Government may, by notification 


in the Official Gazette, appoint and different dates may be appointed for different provisions 
of this Act and any reference in any such provision to the commencement of this Act shall 
be construed as a reference to the coming into force of that provision. 


Definitions. 
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2. In this Act, unless the context otherwise requires,— 


(a) “Appellate Tribunal” means the Telecom Disputes Settlement and Appellate 
Tribunal established under section 14 of the Telecom Regulatory Authority of India 
Act, 1997; 


(b) “automated” means any digital process capable of operating automatically 
in response to instructions given or otherwise for the purpose of processing data; 


(c) “Board” means the Data Protection Board of India established by the Central 
Government under section 18; 


(d) “certain legitimate uses” means the uses referred to in section 7; 
(e) “Chairperson” means the Chairperson of the Board; 


(f) “child” means an individual who has not completed the age of eighteen 
years; 


(g) “Consent Manager” means a person registered with the Board, who acts as 
a single point of contact to enable a Data Principal to give, manage, review and 
withdraw her consent through an accessible, transparent and interoperable platform; 


(h) “data” means a representation of information, facts, concepts, opinions or 
instructions in a manner suitable for communication, interpretation or processing by 
human beings or by automated means; 


(i) “Data Fiduciary” means any person who alone or in conjunction with other 
persons determines the purpose and means of processing of personal data; 


() “Data Principal” means the individual to whom the personal data relates and 
where such individual is— 


(i) a child, includes the parents or lawful guardian of such a child; 


(ii) a person with disability, includes her lawful guardian, acting on her 
behalf; 


(k) “Data Processor” means any person who processes personal data on behalf 
of a Data Fiduciary; 


(J) “Data Protection Officer” means an individual appointed by the Significant 
Data Fiduciary under clause (a) of sub-section (2) of section 10; 


(m) “digital office” means an office that adopts an online mechanism wherein 
the proceedings, from receipt of intimation or complaint or reference or directions or 
appeal, as the case may be, to the disposal thereof, are conducted in online or digital 
mode; 


(n) “digital personal data” means personal data in digital form; 
(०) “gain” means— 


(i) a gain in property or supply of services, whether temporary or 
permanent; or 


(ii) an opportunity to earn remuneration or greater remuneration or to 
gain a financial advantage otherwise than by way of legitimate remuneration; 


(p) “loss” means— 


(i) a loss in property or interruption in supply of services, whether 
temporary or permanent; or 


(ii) a loss of opportunity to earn remuneration or greater remuneration or 
to gain a financial advantage otherwise than by way of legitimate remuneration; 


24 of 1997. 
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(q) “Member” means a Member of the Board and includes the Chairperson; 


(r) “notification” means a notification published in the Official Gazette and the 
expressions “notify” and “notified” shall be construed accordingly; 


(s) “person” includes— 

(i) an individual; 

(ii) a Hindu undivided family; 

(iii) a company; 

(iv) a firm; 

(v) an association of persons or a body of individuals, whether 
incorporated or not; 

(vi) the State; and 


(vii) every artificial juristic person, not falling within any of the preceding 
sub-clauses; 


(t) “personal data” means any data about an individual who is identifiable by or 
in relation to such data; 


(u) “personal data breach” means any unauthorised processing of personal 
data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss 
of access to personal data, that compromises the confidentiality, integrity or availability 
of personal data; 


(v) “prescribed” means prescribed by rules made under this Act; 


(w) “proceeding” means any action taken by the Board under the provisions of 
this Act; 


(x) “processing” in relation to personal data, means a wholly or partly automated 
operation or set of operations performed on digital personal data, and includes 
operations such as collection, recording, organisation, structuring, storage, adaptation, 
retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, 
dissemination or otherwise making available, restriction, erasure or destruction; 


(y) “she” in relation to an individual includes the reference to such individual 
irrespective of gender; 


(z) “Significant Data Fiduciary” means any Data Fiduciary or class of Data 
Fiduciaries as may be notified by the Central Government under section 10; 


(za) “specified purpose” means the purpose mentioned in the notice given by 
the Data Fiduciary to the Data Principal in accordance with the provisions of this Act 
and the rules made thereunder; and 
(zb) “State” means the State as defined under article 12 of the Constitution. 
3. Subject to the provisions of this Act, it shall— es ese 
0 ct. 


(a) apply to the processing of digital personal data within the territory of India 
where the personal data is collected— 


(1) in digital form; or 
(ii) in non-digital form and digitised subsequently; 


(b) also apply to processing of digital personal data outside the territory of 
India, if such processing is in connection with any activity related to offering of 
goods or services to Data Principals within the territory of India; 


Grounds for 
processing 


personal data. 


Notice. 
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(c) not apply to— 
(i) personal data processed by an individual for any personal or domestic 
purpose; and 
(ii) personal data that is made or caused to be made publicly available 
by— 
(A) the Data Principal to whom such personal data relates; or 


(B) any other person who is under an obligation under any law for 
the time being in force in India to make such personal data publicly 
available. 


Illustration. 


X, an individual, while blogging her views, has publicly made available her personal data on social 
media. In such case, the provisions of this Act shall not apply. 


CHAPTER IT 
OBLIGATIONS OF DaTA FIDUCIARY 


4. (/) Aperson may process the personal data of a Data Principal only in accordance 
with the provisions of this Act and for a lawful purpose,— 


(a) for which the Data Principal has given her consent; or 
(b) for certain legitimate uses. 


(2) For the purposes of this section, the expression “lawful purpose” means any 
purpose which is not expressly forbidden by law. 


5. (1) Every request made to a Data Principal under section 6 for consent shall be 
accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, 
informing her,— 

(i) the personal data and the purpose for which the same is proposed to be 


processed; 


(ii) the manner in which she may exercise her rights under sub-section (4) of 
section 6 and section 13; and 


(iii) the manner in which the Data Principal may make a complaint to the Board, 
in such manner and as may be prescribed. 


Illustration. 


X, an individual, opens a bank account using the mobile app or website of Y, a bank. To complete 
the Know-Your-Customer requirements under law for opening of bank account, X opts for processing of 
her personal data by Y in a live, video-based customer identification process. Y shall accompany or 
precede the request for the personal data with notice to X, describing the personal data and the purpose 


of its processing. 
(2) Where a Data Principal has given her consent for the processing of her personal 
data before the date of commencement of this Act,— 


(a) the Data Fiduciary shall, as soon as it is reasonably practicable, give to the 
Data Principal a notice informing her,— 


(i) the personal data and the purpose for which the same has been 
processed; 


(ii) the manner in which she may exercise her rights under sub-section (4) 
of section 6 and section 13; and 


(iii) the manner in which the Data Principal may make a complaint to the 
Board, 


in such manner and as may be prescribed. 
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(b) the Data Fiduciary may continue to process the personal data until and 
unless the Data Principal withdraws her consent. 


Illustration. 


X, an individual, gave her consent to the processing of her personal data for an online shopping 
app or website operated by Y, an e-commerce service provider, before the commencement of this Act. 
Upon commencement of the Act, Y shall, as soon as practicable, give through email, in-app notification 


or other effective method information to X, describing the personal data and the purpose of its processing. 


(3) The Data Fiduciary shall give the Data Principal the option to access the contents 
of the notice referred to in sub-sections (/) and (2) in English or any language specified in 
the Eighth Schedule to the Constitution. 


6. (1) The consent given by the Data Principal shall be free, specific, informed, 
unconditional and unambiguous with a clear affirmative action, and shall signify an 
agreement to the processing of her personal data for the specified purpose and be limited to 
such personal data as is necessary for such specified purpose. 


Illustration. 


X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (i) the 
processing of her personal data for making available telemedicine services, and (ii) accessing her mobile 
phone contact list, and X signifies her consent to both. Since phone contact list is not necessary for 
making available telemedicine services, her consent shall be limited to the processing of her personal 


data for making available telemedicine services. 


(2) Any part of consent referred in sub-section (7) which constitutes an infringement 
of the provisions of this Act or the rules made thereunder or any other law for the time being 
in force shall be invalid to the extent of such infringement. 


Illustration. 


X, an individual, buys an insurance policy using the mobile app or website of Y, an insurer. She 
gives to Y her consent for (i) the processing of her personal data by Y for the purpose of issuing the 
policy, and (ii) waiving her right to file a complaint to the Data Protection Board of India. Part (ii) of 


the consent, relating to waiver of her right to file a complaint, shall be invalid. 


(3) Every request for consent under the provisions of this Act or the rules made 
thereunder shall be presented to the Data Principal in a clear and plain language, giving her 
the option to access such request in English or any language specified in the Eighth 
Schedule to the Constitution and providing the contact details of a Data Protection Officer, 
where applicable, or of any other person authorised by the Data Fiduciary to respond to 
any communication from the Data Principal for the purpose of exercise of her rights under 
the provisions of this Act. 


(4) Where consent given by the Data Principal is the basis of processing of personal 
data, such Data Principal shall have the right to withdraw her consent at any time, with the 
ease of doing so being comparable to the ease with which such consent was given. 


(5) The consequences of the withdrawal referred to in sub-section (4) shall be borne 
by the Data Principal, and such withdrawal shall not affect the legality of processing of the 
personal data based on consent before its withdrawal. 


Illustration. 


X, an individual, is the user of an online shopping app or website operated by Y, an e-commerce 
service provider. X consents to the processing of her personal data by Y for the purpose of fulfilling her 
supply order and places an order for supply of a good while making payment for the same. If X withdraws 
her consent, Y may stop enabling X to use the app or website for placing orders, but may not stop the 


processing for supply of the goods already ordered and paid for by X. 


(6) If a Data Principal withdraws her consent to the processing of personal data under 
sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data 
Processors to cease processing the personal data of such Data Principal unless such 
processing without her consent is required or authorised under the provisions of this Act 
or the rules made thereunder or any other law for the time being in force in India. 


Consent. 


Certain 
legitimate uses. 
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Illustration. 


X, a telecom service provider, enters into a contract with Y, a Data Processor, for emailing 
telephone bills to the customers of X. Z, a customer of X, who had earlier given her consent to X for the 
processing of her personal data for emailing of bills, downloads the mobile app of X and opts to receive 
bills only on the app. X shall itself cease, and shall cause Y to cease, the processing of the personal data 


of Z for emailing bills. 


(7) The Data Principal may give, manage, review or withdraw her consent to the Data 
Fiduciary through a Consent Manager. 


(8) The Consent Manager shall be accountable to the Data Principal and shall act on 
her behalf in such manner and subject to such obligations as may be prescribed. 


(9) Every Consent Manager shall be registered with the Board in such manner and 
subject to such technical, operational, financial and other conditions as may be prescribed. 


(10) Where a consent given by the Data Principal is the basis of processing of 
personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall 
be obliged to prove that a notice was given by her to the Data Principal and consent was 
given by such Data Principal to the Data Fiduciary in accordance with the provisions of this 
Act and the rules made thereunder. 


7. A Data Fiduciary may process personal data of a Data Principal for any of following 
uses, namely:— 


(a) for the specified purpose for which the Data Principal has voluntarily 
provided her personal data to the Data Fiduciary, and in respect of which she has not 
indicated to the Data Fiduciary that she does not consent to the use of her personal 
data. 


Illustrations. 


(7) X, an individual, makes a purchase at Y, a pharmacy. She voluntarily provides Y her personal 
data and requests Y to acknowledge receipt of the payment made for the purchase by sending a message 
to her mobile phone. Y may process the personal data of X for the purpose of sending the receipt. 


(7) X, an individual, electronically messages Y, a real estate broker, requesting Y to help identify 
a suitable rented accommodation for her and shares her personal data for this purpose. Y may process her 
personal data to identify and intimate to her the details of accommodation available on rent. Subsequently, 


X informs Y that X no longer needs help from Y. Y shall cease to process the personal data of X. 


(b) for the State and any of its instrumentalities to provide or issue to the Data 
Principal such subsidy, benefit, service, certificate, licence or permit as may be 
prescribed, where— 


(i) she has previously consented to the processing of her personal data 
by the State or any of its instrumentalities for any subsidy, benefit, service, 
certificate, licence or permit; or 


(ii) such personal data is available in digital form in, or in non-digital form 
and digitised subsequently from, any database, register, book or other document 
which is maintained by the State or any of its instrumentalities and is notified 
by the Central Government, 


subject to standards followed for processing being in accordance with the policy issued by 
the Central Government or any law for the time being in force for governance of personal 
data. 


Illustration. 


X. a pregnant woman, enrols herself on an app or website to avail of government’s maternity 
benefits programme, while consenting to provide her personal data for the purpose of availing of such 
benefits. Government may process the personal data of X processing to determine her eligibility to 


receive any other prescribed benefit from the government. 


53 of 2005. 
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(c) for the performance by the State or any of its instrumentalities of any function 
under any law for the time being in force in India or in the interest of sovereignty and 
integrity of India or security of the State; 


(d) for fulfilling any obligation under any law for the time being in force in India 
on any person to disclose any information to the State or any of its instrumentalities, 
subject to such processing being in accordance with the provisions regarding 
disclosure of such information in any other law for the time being in force; 


(e) for compliance with any judgment or decree or order issued under any law 
for the time being in force in India, or any judgment or order relating to claims of a 
contractual or civil nature under any law for the time being in force outside India; 


(f) for responding to a medical emergency involving a threat to the life or 
immediate threat to the health of the Data Principal or any other individual; 


(g) for taking measures to provide medical treatment or health services to any 
individual during an epidemic, outbreak of disease, or any other threat to public 
health; 


(h) for taking measures to ensure safety of, or provide assistance or services to, 
any individual during any disaster, or any breakdown of public order. 


Explanation.—For the purposes of this clause, the expression “disaster” shall 
have the same meaning as assigned to it in clause (d) of section 2 of the Disaster 
Management Act, 2005; or 


(i) for the purposes of employment or those related to safeguarding the employer 
from loss or liability, such as prevention of corporate espionage, maintenance of 
confidentiality of trade secrets, intellectual property, classified information or provision 
of any service or benefit sought by a Data Principal who is an employee. 


8. (7) A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of 
a Data Principal to carry out the duties provided under this Act, be responsible for complying 
with the provisions of this Act and the rules made thereunder in respect of any processing 
undertaken by it or on its behalf by a Data Processor. 


(2) A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor 
to process personal data on its behalf for any activity related to offering of goods or 
services to Data Principals only under a valid contract. 


(3) Where personal data processed by a Data Fiduciary is likely to be— 
(a) used to make a decision that affects the Data Principal; or 


(b) disclosed to another Data Fiduciary, the Data Fiduciary processing such 
personal data shall ensure its completeness, accuracy and consistency. 


(4) A Data Fiduciary shall implement appropriate technical and organisational measures 
to ensure effective observance of the provisions of this Act and the rules made thereunder. 


(5) A Data Fiduciary shall protect personal data in its possession or under its control, 
including in respect of any processing undertaken by it or on its behalf by a Data Processor, 
by taking reasonable security safeguards to prevent personal data breach. 


(6) In the event of a personal data breach, the Data Fiduciary shall give the Board and 
each affected Data Principal, intimation of such breach in such form and manner as may be 
prescribed. 


(7) A Data Fiduciary shall, unless retention is necessary for compliance with any law 
for the time being in force,— 


(a) erase personal data, upon the Data Principal withdrawing her consent or as 


General 
obligations of 
Data 
Fiduciary. 


Processing of 
personal data 
of children. 


Additional 
obligations of 
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Data 
Fiduciary. 
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soon as it is reasonable to assume that the specified purpose is no longer being 
served, whichever is earlier; and 


(b) cause its Data Processor to erase any personal data that was made available 
by the Data Fiduciary for processing to such Data Processor. 


Illustrations. 


(7) X, an individual, registers herself on an online marketplace operated by Y, an e-commerce 
service provider. X gives her consent to Y for the processing of her personal data for selling her used car. 
The online marketplace helps conclude the sale. Y shall no longer retain her personal data. 


(7) X, an individual, decides to close her savings account with Y, a bank. Y is required by law 
applicable to banks to maintain the record of the identity of its clients for a period of ten years beyond 
closing of accounts. Since retention is necessary for compliance with law, Y shall retain X’s personal data 


for the said period. 


(8) The purpose referred to in clause (a) of sub-section (7) shall be deemed to no 
longer be served, if the Data Principal does not— 


(a) approach the Data Fiduciary for the performance of the specified purpose; 
and 


(b) exercise any of her rights in relation to such processing, 


for such time period as may be prescribed, and different time periods may be prescribed for 
different classes of Data Fiduciaries and for different purposes. 


(9) A Data Fiduciary shall publish, in such manner as may be prescribed, the business 
contact information of a Data Protection Officer, if applicable, or a person who is able to 
answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal 
about the processing of her personal data. 


(10) A Data Fiduciary shall establish an effective mechanism to redress the grievances 
of Data Principals. 


(11) For the purposes of this section, it is hereby clarified that a Data Principal shall be 
considered as not having approached the Data Fiduciary for the performance of the specified 
purpose, in any period during which she has not initiated contact with the Data Fiduciary 
for such performance, in person or by way of communication in electronic or physical form. 


9. (1) The Data Fiduciary shall, before processing any personal data of a child or a 
person with disability who has a lawful guardian obtain verifiable consent of the parent of 
such child or the lawful guardian, as the case may be, in such manner as may be prescribed. 


Explanation.—For the purpose of this sub-section, the expression “consent of the 
parent” includes the consent of lawful guardian, wherever applicable. 


(2) A Data Fiduciary shall not undertake such processing of personal data that is 
likely to cause any detrimental effect on the well-being of a child. 


(3) A Data Fiduciary shall not undertake tracking or behavioural monitoring of children 
or targeted advertising directed at children. 


(4) The provisions of sub-sections (/) and (3) shall not be applicable to processing of 
personal data of a child by such classes of Data Fiduciaries or for such purposes, and 
subject to such conditions, as may be prescribed. 


(5) The Central Government may, if satisfied that a Data Fiduciary has ensured that its 
processing of personal data of children is done in a manner that is verifiably safe, notify for 
such processing by such Data Fiduciary the age above which that Data Fiduciary shall be 
exempt from the applicability of all or any of the obligations under sub-sections (/) and (3) 
in respect of processing by that Data Fiduciary as the notification may specify. 


10. (/) The Central Government may notify any Data Fiduciary or class of Data 
Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of such relevant 
factors as it may determine, including— 
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(a) the volume and sensitivity of personal data processed; 
(9) risk to the rights of Data Principal; 
(c) potential impact on the sovereignty and integrity of India; 
(d) risk to electoral democracy; 
(e) security of the State; and 
(f) public order. 
(2) The Significant Data Fiduciary shall— 
(a) appoint a Data Protection Officer who shall— 


(i) represent the Significant Data Fiduciary under the provisions of this 
Act; 


(ii) be based in India; 


(iii) be an individual responsible to the Board of Directors or similar 
governing body of the Significant Data Fiduciary; and 


(iv) be the point of contact for the grievance redressal mechanism under 
the provisions of this Act; 


(b) appoint an independent data auditor to carry out data audit, who shall 
evaluate the compliance of the Significant Data Fiduciary in accordance with the 
provisions of this Act; and 


(c) undertake the following other measures, namely:— 


(i) periodic Data Protection Impact Assessment, which shall be a process 
comprising a description of the rights of Data Principals and the purpose of 
processing of their personal data, assessment and management of the risk to 
the rights of the Data Principals, and such other matters regarding such process 
as may be prescribed; 


(ii) periodic audit; and 


(iii) such other measures, consistent with the provisions of this Act, as 
may be prescribed. 


CHAPTER III 
RIGHTS AND DUTIES OF DATA PRINCIPAL 


11. (/) The Data Principal shall have the right to obtain from the Data Fiduciary to 
whom she has previously given consent, including consent as referred to in clause (a) of 
section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal 
data, upon making to it a request in such manner as may be prescribed,— 


(a) asummary of personal data which is being processed by such Data Fiduciary 
and the processing activities undertaken by that Data Fiduciary with respect to such 
personal data; 


(b) the identities of all other Data Fiduciaries and Data Processors with whom 
the personal data has been shared by such Data Fiduciary, along with a description of 
the personal data so shared; and 


(c) any other information related to the personal data of such Data Principal and 
its processing, as may be prescribed. 


(2) Nothing contained in clause (b) or clause (c) of sub-section (/) shall apply in 
respect of the sharing of any personal data by the said Data Fiduciary with any other Data 
Fiduciary authorised by law to obtain such personal data, where such sharing is pursuant 


Right to 
access 
information 
about personal 
data. 


Right to 
correction and 
erasure of 
personal data. 


Right of 
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to a request made in writing by such other Data Fiduciary for the purpose of prevention or 
detection or investigation of offences or cyber incidents, or for prosecution or punishment 
of offences. 


12. (/) A Data Principal shall have the right to correction, completion, updating and 
erasure of her personal data for the processing of which she has previously given consent, 
including consent as referred to in clause (a) of section 7, in accordance with any requirement 
or procedure under any law for the time being in force. 


(2) A Data Fiduciary shall, upon receiving a request for correction, completion or 
updating from a Data Principal,— 


(a) correct the inaccurate or misleading personal data; 
(b) complete the incomplete personal data; and 
(c) update the personal data. 


(3) A Data Principal shall make a request in such manner as may be prescribed to the 
Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data 
Fiduciary shall erase her personal data unless retention of the same is necessary for the 
specified purpose or for compliance with any law for the time being in force. 


13. (/) A Data Principal shall have the right to have readily available means of grievance 
redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission 
of such Data Fiduciary or Consent Manager regarding the performance of its obligations in 
relation to the personal data of such Data Principal or the exercise of her rights under the 
provisions of this Act and the rules made thereunder. 


(2) The Data Fiduciary or Consent Manager shall respond to any grievances referred 
to in sub-section (/) within such period as may be prescribed from the date of its receipt for 
all or any class of Data Fiduciaries. 


(3) The Data Principal shall exhaust the opportunity of redressing her grievance 
under this section before approaching the Board. 


14. (7) A Data Principal shall have the right to nominate, in such manner as may be 
prescribed, any other individual, who shall, in the event of death or incapacity of the Data 
Principal, exercise the rights of the Data Principal in accordance with the provisions of this 
Act and the rules made thereunder. 


(2) For the purposes of this section, the expression “incapacity” means inability to 
exercise the rights of the Data Principal under the provisions of this Act or the rules made 
thereunder due to unsoundness of mind or infirmity of body. 


15. A Data Principal shall perform the following duties, namely:— 


(a) comply with the provisions of all applicable laws for the time being in force 
while exercising rights under the provisions of this Act; 


(b) to ensure not to impersonate another person while providing her personal 
data for a specified purpose; 


(c) to ensure not to suppress any material information while providing her 
personal data for any document, unique identifier, proof of identity or proof of address 
issued by the State or any of its instrumentalities; 


(d) to ensure not to register a false or frivolous grievance or complaint with a 
Data Fiduciary or the Board; and 


(e) to furnish only such information as is verifiably authentic, while exercising 
the right to correction or erasure under the provisions of this Act or the rules made 
thereunder. 


31 of 2016. 
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CHAPTER IV 
SPECIAL PROVISIONS 


16. (7) The Central Government may, by notification, restrict the transfer of personal 
data by a Data Fiduciary for processing to such country or territory outside India as may be 
so notified. 


(2) Nothing contained in this section shall restrict the applicability of any law for the 
time being in force in India that provides for a higher degree of protection for or restriction 
on transfer of personal data by a Data Fiduciary outside India in relation to any personal 
data or Data Fiduciary or class thereof. 


17. () The provisions of Chapter II, except sub-sections (7) and (5) of section 8, and 
those of Chapter II and section 16 shall not apply where— 


(a) the processing of personal data is necessary for enforcing any legal right or 
claim; 


(b) the processing of personal data by any court or tribunal or any other body 
in India which is entrusted by law with the performance of any judicial or quasi-judicial 
or regulatory or supervisory function, where such processing is necessary for the 
performance of such function; 


(c) personal data is processed in the interest of prevention, detection, 
investigation or prosecution of any offence or contravention of any law for the time 
being in force in India; 


(d) personal data of Data Principals not within the territory of India is processed 
pursuant to any contract entered into with any person outside the territory of India 
by any person based in India; 


(e) the processing is necessary for a scheme of compromise or arrangement or 
merger or amalgamation of two or more companies or a reconstruction by way of 
demerger or otherwise of a company, or transfer of undertaking of one or more company 
to another company, or involving division of one or more companies, approved by a 
court or tribunal or other authority competent to do so by any law for the time being 
in force; and 


(f) the processing is for the purpose of ascertaining the financial information 
and assets and liabilities of any person who has defaulted in payment due on account 
of a loan or advance taken from a financial institution, subject to such processing 
being in accordance with the provisions regarding disclosure of information or data 
in any other law for the time being in force. 


Explanation.—For the purposes of this clause, the expressions “default” and 
“financial institution” shall have the meanings respectively assigned to them in 
sub-sections (/2) and (/4) of section 3 of the Insolvency and Bankruptcy Code, 2016. 


Illustration. 


X, an individual, takes a loan from Y, a bank. X defaults in paying her monthly loan repayment 
instalment on the date on which it falls due. Y may process the personal data of X for ascertaining her 
financial information and assets and liabilities. 


(2) The provisions of this Act shall not apply in respect of the processing of personal 
data— 


(a) by such instrumentality of the State as the Central Government may notify, 
in the interests of sovereignty and integrity of India, security of the State, friendly 
relations with foreign States, maintenance of public order or preventing incitement to 
any cognizable offence relating to any of these, and the processing by the Central 
Government of any personal data that such instrumentality may furnish to it; and 
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(b) necessary for research, archiving or statistical purposes if the personal data 
is not to be used to take any decision specific to a Data Principal and such processing 
is carried on in accordance with such standards as may be prescribed. 


(3) The Central Government may, having regard to the volume and nature of personal 
data processed, notify certain Data Fiduciaries or class of Data Fiduciaries, including startups, 
as Data Fiduciaries to whom the provisions of section 5, sub-sections (3) and (7) of 
section 8 and sections 10 and 11 shall not apply. 


Explanation.—For the purposes of this sub-section, the term “startup” means a 
private limited company or a partnership firm or a limited liability partnership incorporated 
in India, which is eligible to be and is recognised as such in accordance with the criteria and 
process notified by the department to which matters relating to startups are allocated in the 
Central Government. 


(4) In respect of processing by the State or any instrumentality of the State, the 
provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such 
processing is for a purpose that does not include making of a decision that affects the Data 
Principal, sub-section (2) of section 12 shall not apply. 


(5) The Central Government may, before expiry of five years from the date of 
commencement of this Act, by notification, declare that any provision of this Act shall not 
apply to such Data Fiduciary or classes of Data Fiduciaries for such period as may be 
specified in the notification. 


CHAPTER V 
1261७ PROTECTION BOARD OF INDIA 


18. (7) With effect from such date as the Central Government may, by notification, 
appoint, there shall be established, for the purposes of this Act, a Board to be called the 
Data Protection Board of India. 


(2) The Board shall be a body corporate by the name aforesaid, having perpetual 
succession and a common seal, with power, subject to the provisions of this Act, to acquire, 
hold and dispose of property, both movable and immovable, and to contract and shall, by 
the said name, sue or be sued. 


(3) The headquarters of the Board shall be at such place as the Central Government 
may notify. 


19. (1) The Board shall consist of a Chairperson and such number of other Members 
as the Central Government may notify. 


(2) The Chairperson and other Members shall be appointed by the Central Government 
in such manner as may be prescribed. 


(3) The Chairperson and other Members shall be a person of ability, integrity and 
standing who possesses special knowledge or practical experience in the fields of data 
governance, administration or implementation of laws related to social or consumer 
protection, dispute resolution, information and communication technology, digital economy, 
law, regulation or techno-regulation, or in any other field which in the opinion of the Central 
Government may be useful to the Board, and at least one among them shall be an expert in 
the field of law. 


20. (1) The salary, allowances and other terms and conditions of service of the 
Chairperson and other Members shall be such as may be prescribed, and shall not be varied 
to their disadvantage after their appointment. 


(2) The Chairperson and other Members shall hold office for a term of two years and 
shall be eligible for re-appointment. 
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21. (J) A person shall be disqualified for being appointed and continued as the 
Chairperson or a Member, if she— 


(a) has been adjudged as an insolvent; 


(b) has been convicted of an offence, which in the opinion of the Central 
Government, involves moral turpitude; 


(c) has become physically or mentally incapable of acting as a Member; 


(d) has acquired such financial or other interest, as is likely to affect prejudicially 
her functions as a Member; or 


(e) has so abused her position as to render her continuance in office prejudicial 
to the public interest. 


(2) The Chairperson or Member shall not be removed from her office by the Central 
Government unless she has been given an opportunity of being heard in the matter. 


22. (1) The Chairperson or any other Member may give notice in writing to the Central 
Government of resigning from her office, and such resignation shall be effective from the 
date on which the Central Government permits her to relinquish office, or upon expiry of a 
period of three months from the date of receipt of such notice, or upon a duly appointed 
successor entering upon her office, or upon the expiry of the term of her office, whichever 
is earliest. 


(2) A vacancy caused by the resignation or removal or death of the Chairperson or 
any other Member, or otherwise, shall be filled by fresh appointment in accordance with the 
provisions of this Act. 


(3) The Chairperson and any other Member shall not, for a period of one year from the 
date on which they cease to hold such office, except with the previous approval of the 
Central Government, accept any employment, and shall also disclose to the Central 
Government any subsequent acceptance of employment with any Data Fiduciary against 
whom proceedings were initiated by or before such Chairperson or other Member. 


23. (1) The Board shall observe such procedure in regard to the holding of and 
transaction of business at its meetings, including by digital means, and authenticate its 
orders, directions and instruments in such manner as may be prescribed. 


(2) No act or proceeding of the Board shall be invalid merely by reason of — 
(a) any vacancy in or any defect in the constitution of the Board; 


(b) any defect in the appointment of a person acting as the Chairperson or other 
Member of the Board; or 


(c) any irregularity in the procedure of the Board, which does not affect the 
merits of the case. 


(3) When the Chairperson is unable to discharge her functions owing to absence, 
illness or any other cause, the senior-most Member shall discharge the functions of the 
Chairperson until the date on which the Chairperson resumes her duties. 


24. The Board may, with previous approval of the Central Government, appoint such 
officers and employees as it may deem necessary for the efficient discharge of its functions 
under the provisions of this Act, on such terms and conditions of appointment and service 
as may be prescribed. 


25. The Chairperson, Members, officers and employees of the Board shall be deemed, 
when acting or purporting to act in pursuance of provisions of this Act, to be public 
servants within the meaning of section 21 of the Indian Penal Code. 
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26. The Chairperson shall exercise the following powers, namely: — 


(a) general superintendence and giving direction in respect of all administrative 
matters of the Board; 


(b) authorise any officer of the Board to scrutinise any intimation, complaint, 
reference or correspondence addressed to the Board; and 


(c) authorise performance of any of the functions of the Board and conduct any 
of its proceedings, by an individual Member or groups of Members and to allocate 
proceedings among them. 


CHAPTER VI 
POWERS, FUNCTIONS AND PROCEDURE TO BE FOLLOWED BY BOARD 


27. (1) The Board shall exercise and perform the following powers and functions, 
namely:— 


(a) on receipt of an intimation of personal data breach under sub-section (6) of 
section 8, to direct any urgent remedial or mitigation measures in the event of a 
personal data breach, and to inquire into such personal data breach and impose 
penalty as provided in this Act; 


(b) on a complaint made by a Data Principal in respect of a personal data breach 
or a breach in observance by a Data Fiduciary of its obligations in relation to her 
personal data or the exercise of her rights under the provisions of this Act, or on a 
reference made to it by the Central Government or a State Government, or in compliance 
of the directions of any court, to inquire into such breach and impose penalty as 
provided in this Act; 


(c) ona complaint made by a Data Principal in respect of a breach in observance 
by a Consent Manager of its obligations in relation to her personal data, to inquire 
into such breach and impose penalty as provided in this Act; 


(d) on receipt of an intimation of breach of any condition of registration of a 
Consent Manager, to inquire into such breach and impose penalty as provided in this 
Act; and 


(e) on a reference made by the Central Government in respect of the breach in 
observance of the provisions of sub-section (2) of section 36 by an intermediary, to 
inquire into such breach and impose penalty as provided in this Act. 


(2) The Board may, for the effective discharge of its functions under the provisions of 
this Act, after giving the person concerned an opportunity of being heard and after recording 
reasons in writing, issue such directions as it may consider necessary to such person, who 
shall be bound to comply with the same. 


(3) The Board may, on a representation made to it by a person affected by a direction 
issued under sub-section (/) or sub-section (2), or on a reference made by the Central 
Government, modify, suspend, withdraw or cancel such direction and, while doing so, 
impose such conditions as it may deem fit, subject to which the modification, suspension, 
withdrawal or cancellation shall have effect. 


28. (1) The Board shall function as an independent body and shall, as far as practicable, 
function as a digital office, with the receipt of complaints and the allocation, hearing and 
pronouncement of decisions in respect of the same being digital by design, and adopt such 
techno-legal measures as may be prescribed. 


(2) The Board may, on receipt of an intimation or complaint or reference or directions 
as referred to in sub-section (/) of section 27, take action in accordance with the provisions 
of this Act and the rules made thereunder. 


5 of 1908. 
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(3) The Board shall determine whether there are sufficient grounds to proceed with an 
inquiry. 


(4) In case the Board determines that there are insufficient grounds, it may, for reasons 
to be recorded in writing, close the proceedings. 


(5) In case the Board determines that there are sufficient grounds to proceed with 
inquiry, it may, for reasons to be recorded in writing, inquire into the affairs of any person for 
ascertaining whether such person is complying with or has complied with the provisions of 
this Act. 


(6) The Board shall conduct such inquiry following the principles of natural justice 
and shall record reasons for its actions during the course of such inquiry. 


(7) For the purposes of discharging its functions under this Act, the Board shall have 
the same powers as are vested in a civil court under the Code of Civil Procedure, 1908, in 
respect of matters relating to— 


(a) summoning and enforcing the attendance of any person and examining her 
on oath; 


(b) receiving evidence of affidavit requiring the discovery and production of 
documents; 


(c) inspecting any data, book, document, register, books of account or any 
other document; and 


(d) such other matters as may be prescribed. 


(8) The Board or its officers shall not prevent access to any premises or take into 
custody any equipment or any item that may adversely affect the day-to-day functioning of 
a person. 


(9) The Board may require the services of any police officer or any officer of the 
Central Government or a State Government to assist it for the purposes of this section and 
it shall be the duty of every such officer to comply with such requisition. 


(10) During the course of the inquiry, if the Board considers it necessary, it may for 
reasons to be recorded in writing, issue interim orders after giving the person concerned an 
opportunity of being heard. 


(11) On completion of the inquiry and after giving the person concerned an opportunity 
of being heard, the Board may for reasons to be recorded in writing, either close the 
proceedings or proceed in accordance with section 33. 


(12) At any stage after receipt of a complaint, if the Board is of the opinion that the 
complaint is false or frivolous, it may issue a warning or impose costs on the complainant. 


CHAPTER VII 
APPEAL AND ALTERNATE DISPUTE RESOLUTION 


29. (1) Any person aggrieved by an order or direction made by the Board under this 
Act may prefer an appeal before the Appellate Tribunal. 


(2) Every appeal under sub-section (/) shall be filed within a period of sixty days from 
the date of receipt of the order or direction appealed against and it shall be in such form and 
manner and shall be accompanied by such fee as may be prescribed. 


(3) The Appellate Tribunal may entertain an appeal after the expiry of the period 
specified in sub-section (2), if it is satisfied that there was sufficient cause for not preferring 
the appeal within that period. 


(4) On receipt of an appeal under sub-section (/), the Appellate Tribunal may, after 
giving the parties to the appeal, an opportunity of being heard, pass such orders thereon as 
it thinks fit, confirming, modifying or setting aside the order appealed against. 
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(5) The Appellate Tribunal shall send a copy of every order made by it to the Board 
and to the parties to the appeal. 


(6) The appeal filed before the Appellate Tribunal under sub-section (/) shall be dealt 
with by it as expeditiously as possible and endeavour shall be made by it to dispose of the 
appeal finally within six months from the date on which the appeal is presented to it. 


(7) Where any appeal under sub-section (6) could not be disposed of within the 
period of six months, the Appellate Tribunal shall record its reasons in writing for not 
disposing of the appeal within that period. 


(8) Without prejudice to the provisions of section 14A and section 16 of the Telecom 
Regulatory Authority of India Act, 1997, the Appellate Tribunal shall deal with an appeal 
under this section in accordance with such procedure as may be prescribed. 


(9) Where an appeal is filed against the orders of the Appellate Tribunal under this 
Act, the provisions of section 18 of the Telecom Regulatory Authority of India Act, 1997 
shall apply. 


(10) In respect of appeals filed under the provisions of this Act, the Appellate Tribunal 
shall, as far as practicable, function as a digital office, with the receipt of appeal, hearing and 
pronouncement of decisions in respect of the same being digital by design. 


30. (/) An order passed by the Appellate Tribunal under this Act shall be executable 
by it as a decree of civil court, and for this purpose, the Appellate Tribunal shall have all the 
powers of a civil court. 


(2) Notwithstanding anything contained in sub-section (/), the Appellate Tribunal 
may transmit any order made by it to a civil court having local jurisdiction and such civil 
court shall execute the order as if it were a decree made by that court. 


31. If the Board is of the opinion that any complaint may be resolved by mediation, it 
may direct the parties concerned to attempt resolution of the dispute through such mediation 
by such mediator as the parties may mutually agree upon, or as provided for under any law 
for the time being in force in India. 


32. (1) The Board may accept a voluntary undertaking in respect of any matter related 
to observance of the provisions of this Act from any person at any stage of a proceeding 
under section 28. 


(2) The voluntary undertaking referred to in sub-section (1) may include an 
undertaking to take such action within such time as may be determined by the Board, or 
refrain from taking such action, and or publicising such undertaking. 


(3) The Board may, after accepting the voluntary undertaking and with the consent of 
the person who gave the voluntary undertaking vary the terms included in the voluntary 
undertaking. 


(4) The acceptance of the voluntary undertaking by the Board shall constitute a bar 
on proceedings under the provisions of this Act as regards the contents of the voluntary 
undertaking, except in cases covered by sub-section (5). 


(5) Where a person fails to adhere to any term of the voluntary undertaking accepted 
by the Board, such breach shall be deemed to be breach of the provisions of this Act and 
the Board may, after giving such person an opportunity of being heard, proceed in accordance 
with the provisions of section 33. 


CHAPTER VIII 
PENALTIES AND ADJUDICATION 


33. (7) If the Board determines on conclusion of an inquiry that breach of the provisions 
of this Act or the rules made thereunder by a person is significant, it may, after giving the 
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person an opportunity of being heard, impose such monetary penalty specified in the 
Schedule. 


(2) While determining the amount of monetary penalty to be imposed under 
sub-section (/), the Board shall have regard to the following matters, namely:— 


(a) the nature, gravity and duration of the breach; 
(9) the type and nature of the personal data affected by the breach; 
(c) repetitive nature of the breach; 


(d) whether the person, as a result of the breach, has realised a gain or avoided 
any loss; 


(e) whether the person took any action to mitigate the effects and consequences 
of the breach, and the timeliness and effectiveness of such action; 


(f) whether the monetary penalty to be imposed is proportionate and effective, 
having regard to the need to secure observance of and deter breach of the provisions 
of this Act; and 


(g) the likely impact of the imposition of the monetary penalty on the person. 


34, All sums realised by way of penalties imposed by the Board under this Act, shall 
be credited to the Consolidated Fund of India. 


CHAPTER IX 
MISCELLANEOUS 


35. No suit, prosecution or other legal proceedings shall lie against the Central 
Government, the Board, its Chairperson and any Member, officer or employee thereof for 
anything which is done or intended to be done in good faith under the provisions of this 
Act or the rules made thereunder. 


36. The Central Government may, for the purposes of this Act, require the Board and 
any Data Fiduciary or intermediary to furnish such information as it may call for. 


37. (1) The Central Government or any of its officers specially authorised by it in this 
behalf may, upon receipt of a reference in writing from the Board that— 


(a) intimates the imposition of monetary penalty by the Board on a Data Fiduciary 
in two or more instances; and 


(b) advises, in the interests of the general public, the blocking for access by the 
public to any information generated, transmitted, received, stored or hosted, in any 
computer resource that enables such Data Fiduciary to carry on any activity relating 
to offering of goods or services to Data Principals within the territory of India, 


after giving an opportunity of being heard to that Data Fiduciary, on being satisfied that it 
is necessary or expedient so to do, in the interests of the general public, for reasons to be 
recorded in writing, by order, direct any agency of the Central Government or any intermediary 
to block for access by the public or cause to be blocked for access by the public any such 
information. 


(2) Every intermediary who receives a direction issued under sub-section (/) shall be 
bound to comply with the same. 


(3) For the purposes of this section, the expressions “computer resource”, 
“information” and “intermediary” shall have the meanings respectively assigned to them in 
the Information Technology Act, 2000. 
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38. (/) The provisions of this Act shall be in addition to and not in derogation of any 
other law for the time being in force. 


(2) In the event of any conflict between a provision of this Act and a provision of any 
other law for the time being in force, the provision of this Act shall prevail to the extent of 
such conflict. 


39. No civil court shall have the jurisdiction to entertain any suit or proceeding in 
respect of any matter for which the Board is empowered under the provisions of this Act 
and no injunction shall be granted by any court or other authority in respect of any action 
taken or to be taken in pursuance of any power under the provisions of this Act. 


40. (/) The Central Government may, by notification, and subject to the condition of 
previous publication, make rules not inconsistent with the provisions of this Act, to carry 
out the purposes of this Act. 


(2) In particular and without prejudice to the generality of the foregoing power, such 
rules may provide for all or any of the following matters, namely: — 


(a) the manner in which the notice given by the Data Fiduciary to a Data Principal 
shall inform her, under sub-section (/) of section 5; 


(b) the manner in which the notice given by the Data Fiduciary to a Data Principal 
shall inform her, under sub-section (2) of section 5; 


(c) the manner of accountability and the obligations of Consent Manager under 
sub-section (8) of section 6; 


(d) the manner of registration of Consent Manager and the conditions relating 
thereto, under sub-section (9) of section 6; 


(e) the subsidy, benefit, service, certificate, licence or permit for the provision or 
issuance of which, personal data may be processed under clause (b) of section 7; 


(f) the form and manner of intimation of personal data breach to the Board under 
sub-section (6) of section 8; 


(g) the time period for the specified purpose to be deemed as no longer being 
served, under sub-section (8) of section 8; 


(h) the manner of publishing the business contact information of a Data 
Protection Officer under sub-section (9) of section 8; 


(i) the manner of obtaining verifiable consent under sub-section (/) of 
section 9; 


(j) the classes of Data Fiduciaries, the purposes of processing of personal data 
of a child and the conditions relating thereto, under sub-section (4) of section 9; 


(kK) the other matters comprising the process of Data Protection Impact 
Assessment under sub-clause (i) of clause (c) of sub-section (2) of section 10; 


(1) the other measures that the Significant Data Fiduciary shall undertake under 
sub-clause (iii) of clause (c) of sub-section (2) of section 10; 


(m) the manner in which a Data Principal shall make a request to the Data 
Fiduciary to obtain information and any other information related to the personal data 
of such Data Principal and its processing, under sub-section (/) of section 11; 


(n) the manner in which a Data Principal shall make a request to the Data 
Fiduciary for erasure of her personal data under sub-section (3) of section 12; 


(०) the period within which the Data Fiduciary shall respond to any grievances 
under sub-section (2) of section 13; 
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(p) the manner of nomination of any other individual by the Data Principal 
under sub-section (/) of section 14; 


(4) the standards for processing the personal data for exemption under clause (b) 
of sub-section (2) of section 17; 


(r) the manner of appointment of the Chairperson and other Members of the 
Board under sub-section (2) of section 19; 


(s) the salary, allowances and other terms and conditions of services of the 
Chairperson and other Members of the Board under sub-section (/) of section 20; 


(t) the manner of authentication of orders, directions and instruments under 
sub-section (/) of section 23; 


(u) the terms and conditions of appointment and service of officers and 
employees of the Board under section 24; 


(v) the techno-legal measures to be adopted by the Board under sub-section (/) 
of section 28; 


(w) the other matters under clause (d) of sub-section (7) of section 28; 


(x) the form, manner and fee for filing an appeal under sub-section (2) of 
section 29; 


(y) the procedure for dealing an appeal under sub-section (8) of section 29; 


(z) any other matter which is to be or may be prescribed or in respect of which 
provision is to be, or may be, made by rules. 


41. Every rule made and every notification issued under section 16 and section 42 of 
this Act shall be laid, as soon as may be after it is made, before each House of Parliament, 
while it is in session, for a total period of thirty days which may be comprised in one session 
or in two or more successive sessions, and if before the expiry of the session immediately 
following the session or the successive sessions aforesaid, both Houses agree in making 
any modification in the rule or notification or both Houses agree that the rule or notification 
should not be made or issued, the rule or notification shall thereafter have effect only in 
such modified form or be of no effect, as the case may be; so, however, that any such 
modification or annulment shall be without prejudice to the validity of anything previously 
done under that rule or notification. 


42. (/) The Central Government may, by notification, amend the Schedule, subject to 
the restriction that no such notification shall have the effect of increasing any penalty 
specified therein to more than twice of what was specified in it when this Act was originally 
enacted. 


(2) Any amendment notified under sub-section (/) shall have effect as if enacted in 
this Act and shall come into force on the date of the notification. 


43. (/) If any difficulty arises in giving effect to the provisions of this Act, the Central 
Government may, by order published in the Official Gazette, make such provisions not 
inconsistent with the provisions of this Act as may appear to it to be necessary or expedient 
for removing the difficulty. 

(2) No order as referred to in sub-section (/) shall be made after the expiry of three 


years from the date of commencement of this Act. 


(3) Every order made under this section shall be laid, as soon as may be after it is 
made, before each House of Parliament. 


44. (/) In section 14 of the Telecom Regulatory Authority of India Act, 1997, in 
clause (c), for sub-clauses (i) and (ii), the following sub-clauses shall be substituted, 
namely:— 
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*(j) the Appellate Tribunal under the Information Technology Act, 2000; 


(ii) the Appellate Tribunal under the Airports Economic Regulatory Authority 
of India Act, 2008; and 


(iii) the Appellate Tribunal under the Digital Personal Data Protection 
Act, 2023.”. 


(2) The Information Technology Act, 2000 shall be amended in the following manner, 
namely:— 
(a) section 43A shall be omitted; 


(b) in section 81, in the proviso, after the words and figures “the Patents 
Act, 1970”, the words and figures “or the Digital Personal Data Protection Act, 2023” 
shall be inserted; and 


(c) in section 87, in sub-section (2), clause (ob) shall be omitted. 


(3) In section 8 of the Right to Information Act, 2005, in sub-section (/), for clause (J), 
the following clause shall be substituted, namely:— 


“() information which relates to personal information;”. 
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THE SCHEDULE 
[See section 33 (/)] 


Breach of provisions of this Act or rules made thereunder 
(2) 


Breach in observing the obligation of Data Fiduciary to 
take reasonable security safeguards to prevent personal 
data breach under sub-section (5) of section 8. 


Breach in observing the obligation to give the Board or 
affected Data Principal notice of a personal data breach 
under sub-section (6) of section 8. 


Breach in observance of additional obligations in relation 
to children under section 9. 


Breach in observance of additional obligations of 
Significant Data Fiduciary under section 10. 


Breach in observance of the duties under section 15. 


Breach of any term of voluntary undertaking accepted by 
the Board under section 32. 


Breach of any other provision of this Act or the rules 
made thereunder. 


Penalty 
(3) 


May extend to two 
hundred and fifty 
crore rupees. 


May extend to 
two hundred 
crore rupees. 


May extend to 
two hundred 
crore rupees. 


May extend to one 
hundred and fifty 
crore rupees. 


May extend to ten 
thousand rupees. 


Up to the extent 
applicable for the 
breach in respect 
of which the 
proceedings under 
section 28 were 
instituted. 


May extend to fifty 
crore rupees. 
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STATEMENT OF OBJECTS AND REASONS 
Digital transactions have transformed economic as well as social interactions. Use of 
personal data for provision of services and other purposes is a common aspect of such 
transactions. In this context, protection of personal data has become a pre-requisite for 
growth of digital economy. 


2. Therefore, there is a need for enacting a legislation that provides for protection and 
security of personal data of users and recognises the need to process such personal data for 
lawful purposes. 


3. The Digital Personal Data Protection Bill, 2023 confers rights on individuals to 
protect their personal data, places obligations on entities that process personal data and 
lays down the compliance mechanism. 


4. The said Bill, inter alia, seeks— 
(a) to provide for protection of digital personal data; 
(b) to lay down grounds for processing personal data; 


(c) to place general and in certain cases special obligations on entities that 
process personal data; 


(d) to confer certain rights in respect of their personal data on individuals; 


(e) to provide for duties to be performed by individuals while exercising their 
rights and providing their personal data for certain purposes; 


(f) to lay down a digital by design compliance framework for easy and faster 
implementation of the proposed Legislation; 


(g) to enable parties to a dispute to attempt resolution of the dispute through 
alternate process and person of their choice; 


(h) to provide monetary penalties for lapses and non-compliance of the provisions 
of the proposed Legislation; and 


(7) to enable voluntary undertaking to encourage faster resolution and rectification 
of lapses. 


5. The Notes on Clauses explain in detail the various provisions contained in the Bill. 


6. The Bill seeks to achieve the above objectives. 


New DELHI; ASHWINI VAISHNAW. 
The 19th July, 2023. 


PRESIDENT'S RECOMMENDATION UNDER ARTICLE 117 OF THE 


[Letter No. AA-11038/2021-CL&ES dated 25th July, 2023 from Shri Ashwini 
Vaishnaw, Minister of Railways, Communications and Electronics and Information Techology 
to the Secretary General, Lok Sabha] 


The President, having been informed of the subject matter of the Digital Personal Data 
Protection Bill, 2023 recommends to the House the introduction of the Bill under article 117 
(1) and consideration of the Bill under article 117 (3) of the Constitution. 
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Notes on Clauses 


Clause 1.—This clause seeks to provide for short title and commencement of the 
proposed Legislation. 


Clause 2.—This clause seeks to define certain expressions occurring in the proposed 
Legislation. 


Clause 3.—This clause relates to "Application of Act". 


This clause seeks to clarify the application of the proposed Legislation about personal 
data. 


Clause 4.—This clause relates to "Grounds for processing personal data". 


This clause seeks to lay down grounds on processing of personal data in accordance 
with the provisions of the proposed Legislation and for a lawful purpose. 


Clause 5.—This clause relates to "Notice". 


This clause seeks to lay down the requirement of notice for collection or processing of 
personal data and description of notice. 


Clause 6.—This clause relates to "Consent". 


This clause seeks to expound the various aspects of consent which is necessary for 
processing of personal data. 


Clause 7.—This clause relates to "Certain legitimate uses". 


This clause seeks to expound the various aspects of certain legitimate uses which is 
necessary for processing of personal data. 


Clause 8.—This clause relates to "General obligations of Data Fiduciary”. 


This clause seeks to lay down the general obligations on Data Fiduciary for processing 
personal data. 


Clause 9.—This clause relates to "Processing of personal data of children". 
This clause seeks to lay down the grounds for processing of personal data of children. 
Clause 10.—This clause relates to "Additional obligations of Significant Data Fiduciary". 


This clause seeks to lay down the additional obligations on Significant Data Fiduciary 
for processing personal data. 


Clause 11.—This clause relates to "Right to access information about personal data". 


This clause seeks to provide the data principal with the right to access information 
about personal data. 


Clause 12.—This clause relates to "Right to correction and erasure of personal data". 


This clause seeks to provide the data principal with a right to correct and erase his 
personal data. 


Clause 13.—This clause relates to "Right of grievance redressal". 
This clause seeks to provide the data principal with a right of grievance redressal. 
Clause 14.—This clause relates to "Right to nominate”. 


This clause seeks to provide the data principal with a right to nominate. 
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Clause 15.—This clause relates to "Duties of Data Principal". 


This clause seeks to lay down the duties of Data Principal for the exercise of the rights 
under the provisions of the proposed Legislation. 


Clause 16.—This clause relates to "Processing of personal data outside India". 


This clause seeks to lay down the Provisions related to processing of personal data 
outside India. 


Clause 17.—This clause relates to "Exemptions". 


This clause seeks to provide for exemption of certain provisions of the proposed 
Legislation and lay down the legitimate purposes for processing of personal data. 


Clause 18.—This clause relates to "Establishment of Board". 


This clause seeks to establish a Board to be called the Data Protection Board of India. 
The Board shall consist of a Chairperson and such number of Members as the Central 
Government may notify. 


Clause 19.—This clause relates to "Composition and qualifications for appointment 
of Chairperson and Members". 


This clause seeks to list out the composition and qualifications for appointment of 
Chairperson and Members of the Board. 


Clause 20.—This clause relates to "Salary, allowances payable to and term of office". 


This clause seeks to list out the salary, allowances and other terms and conditions of 
service of the Chairperson and other Members of the Board. 


Clause 21.—This clause relates to "Disqualifications for appointment and continuation 
as Chairperson and Members of Board". 


This clause seeks to list out the disqualifications for appointment and continuation as 
Chairperson and Members of Board. 


Clause 22.—This clause relates to "Resignation by Members and filling of vacancy". 


This clause seeks to lay down the resignation by Members of Board and filling of 
vacancy. 


Clause 23.—This clause relates to "Proceedings of Board". 


This clause seeks to lay down the proceedings of Board. The Board is required to 
follow prescribed procedures for conducting its meeting and carrying out its business, 
including the use of digital means. 


Clause 24.—This clause relates to "Officers and employees of Board". 


This clause seeks to empower the Board to appoint officers and employees of Board 
for the effective execution of the functions under the proposed Legislation. 


Clause 25.—This clause relates to "Members and officers to be public servants". 


This clause seeks to deem Members and officers of the Board, while carrying out their 
duties in accordance with the provisions of the proposed Legislation, to be public servants 
as defined in section 21 of the Indian Penal Code. 


Clause 26.—This clause relates to "Powers of Chairperson". 


This clause seeks to provide the powers to be exercised by the Chairperson for the 
efficient administration of the Board. 


Clause 27.—This clause relates to "powers and functions of Board". 


This clause seeks to list the powers and functions of the Data Protection Board of 
India. The Board has the power to take prompt action in response to personal data breaches, 
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investigate complaints, and impose penalties. Additionally, the Board can issues directions 
to ensure compliance and has the authority to modify or cancel its directions based on 
representations or references. Through these powers and functions, the Board aims to 
safeguard the rights and interests of Data Principals and maintain the integrity of personal 
data processing activities. 


Clause 28.—This clause relates to "Procedure to be followed by Board". 


This clause seeks to lay down the procedures to be followed by the Board pursuant to 
an inquiry. 


Clause 29.—This clause relates to "Appeal to Appellate Tribunal". 


This clause seeks to provide for appeal to the Telecom Disputes Settlement and 
Appellate Tribunal against any order of the Board. 


Clause 30.—This clause relates to "Orders passed by Appellate Tribunal to be 
executable as decree". 


This clause seeks to lay down to provide that the Appellate Tribunal shall have all the 
powers of civil court. 


Clause 31.—This clause relates to "Alternate dispute resolution”. 


This clause seeks to lay down the alternate dispute resolution of the dispute through 
such mediation as the Board may deem appropriate. 


Clause 32.—This clause relates to "voluntary undertaking". 


This clause seeks to lay down the voluntary undertaking in respect of any matter 
related to observance to the provisions of the proposed Legislation from any person at any 
stage of a proceeding under clause 28 of the proposed Legislation. 


Clause 33.—This clause relates to "Penalties". 
This clause seeks to provide monetary penalties by Data Protection Board. 


Clause 34.—This clause relates to "Crediting sums realised by way of penalties to 
Consolidated Fund of India". 


This clause seeks to lay down the crediting sums realised by way of penalties to 
Consolidated Fund of India. 


Clause 35.—This clause relates to "Protection of action taken in good faith". 


This clause seeks to protect the Central Government, the Board, its Chairperson and 
any Member, officer or employee in case of action done under the proposed Legislation in 
good faith. 


Clause 36.—This clause relates to "Power to call for information". 
This clause seeks to empower the Board to call for information from any Data Fiduciary. 
Clause 37.—This clause relates to "Power of Central Government to issue directions". 
This clause seeks to empower the Central Government to issue directions to the Board. 
Clause 38.—This clause relates to "Consistency with other laws". 


This clause seeks to provide for the overriding effect of this Legislation notwithstanding 
anything inconsistent with any other law. 


Clause 39.—This clause relates to "Bar of jurisdiction". 


This clause seeks to lay down that no civil court shall have jurisdiction to entertain 
any suit on any matter which falls within the ambit of the Board. 


Clause 40.-—This clause relates to "Power to make rules". 
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This clause seeks to empower the Central Government to make rules to carry out the 
purposes of the proposed Legislation. 


Clause 41.—This clause relates to "Laying of rules and certain notifications". 


This clause seeks to require that rules and regulations made under the Legislation are 
to be laid before the Parliament. 


Clause 42.—This clause relates to "Power to amend Schedule". 


This clause seeks to empower the Central Government to amend the Schedule to carry 
out the provisions of the proposed Legislation. 


Clause 43.—This clause relates to "Power to remove difficulties". 


This clause seeks to empower the Central Government to issue an order for removal of 
any difficulty arises while during implementation of the proposed Legislation. 


Clause 44.—This clause relates to "Amendments to certain Acts". 


This clause seeks to provide for related amendments to the Information Technology 
Act, 2000, the Telecom Regulatory Authority of India Act, 1997 and the Right to Information 
Act, 2005. 
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FINANCIAL MEMORANDUM 


The Bill envisages the creation of a Data Protection Board of India. Since the structure 
of the Board is to be notified after enactment of the Bill, at this stage, the financial implication 
of the setting up and functioning of the Board is estimated to be about twenty-five crore 
rupees towards initial capital expenditure and ten crore rupees annually for recurring 
expenditure. The said expenditure is to be incurred from and out of the Consolidated Fund of 
India. 


27 
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MEMORANDUM REGARDING DELEGATED LEGISLATION 


Clause 40 of the Digital Personal Data Protection Bill, 2023 seeks to empower the 
Central Government, by notification and subject to the condition of previous publication, 
not inconsistent with the provisions of the Act, to make rules for—(a) the manner in which 
the notice given by the Data Fiduciary to a Data Principal shall inform her, under 
sub-section (/) of section 5; (b) the manner in which the notice given by the Data Fiduciary 
to a Data Principal shall inform her, under sub-section (2) of section 5; (c) the manner of 
accountability and the obligations of Consent Manager under sub-section (8) of section 6; 
(d) the manner of registration of Consent Manager and the conditions relating thereto, under 
sub-section (9) of section 6; (०) the subsidy, benefit, service, certificate, licence or permit for 
the provision or issuance of which, personal data may be processed under clause (b) of 
section 7; (f) the form and manner of intimation of personal data breach to the Board under 
sub-section (6) of section 8; (g) the time period for the specified purpose to be deemed as no 
longer being served, under sub-section (8) of section 8; (४) the manner of publishing the 
business contact information of a Data Protection Officer under sub-section (9) of section 8; 
(i) the manner of obtaining verifiable consent under sub-section (/) of section 9; (7) the 
classes of Data Fiduciaries, the purposes of processing of personal data of a child and the 
conditions relating thereto, under sub-section (4) of section 9; (k) the other matters comprising 
the process of Data Protection Impact Assessment under sub-clause (i) of clause (८) of 
sub-section (2) of section 10; (/) the other measures that the Significant Data Fiduciary shall 
undertake under sub-clause (iii) of clause (c) of sub-section (2) of section 10; (7m) the manner 
in which a Data Principal shall make a request to the Data Fiduciary to obtain information and 
any other information related to the personal data of such Data Principal and its processing, 
under sub-section (1) of section 11; (४) the manner in which a Data Principal shall make a 
request to the Data Fiduciary for erasure of her personal data under sub-section (3) of 
section 12; (0) the period within which the Data Fiduciary shall respond to any grievances 
under sub-section (2) of section 13; (p) the manner of nomination of any other individual by 
the Data Principal under sub-section (/) of section 14; (६) the standards for processing the 
personal data for exemption under clause (b) of sub-section (2) of section 17; (r) the manner 
of appointment of Chairperson and other Members of the Board under sub-section (2) of 
section 19; (s) the salary, allowances and other terms and conditions of services of the 
Chairperson and other Members of the Board under sub-section (/) of section 20; (४) the 
manner of authentication of orders, directions and instruments under sub-section (/) of 
section 23; (४) the terms and conditions of appointment and service of officers and employees 
of the Board under section 24; (v) the techno-legal measures to be adopted by the Board 
under sub-section (/) of section 28; (w) the other matters under clause (d) of sub-section (7) 
of section 28; (x) the form, manner and fee for filing an appeal under sub-section (2) of 
section 29; (y) the procedure for dealing an appeal under sub-section (8) of section 29; 
(z) any other matter which is to be or may be prescribed or in respect of which provision is to 
be, or may be, made by rules. 


2. The matters in respect of which rules may be made under the aforesaid provisions 
are matters of detail and it is not practicable to provide them in the Bill itself. The delegation 
of legislative powers is, therefore, of a normal character. 


8 of 1948. 


Jammu and 
Kashmir 
Act No. 


(1955 A.D.). 
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Butt No. 114 07 2023 
A Bill further to amend the Pharmacy Act, 1948. 


BE it enacted by Parliament in the Seventy-fourth Year of the Republic of India as 
follows:— 


1. This Act may be called the Pharmacy (Amendment) Act, 2023. 


2. After section 32B of the Pharmacy Act, 1948, the following section shall be inserted, 
namely:— 


"32C. Notwithstanding anything contained in section 32, any person whose 
name has been entered in the register of pharmacists maintained under the Jammu and 
Kashmir Pharmacy Act, 2011 or possesses qualification (medical assistant/ 
pharmacists) prescribed under the said Act shall be deemed to have been entered in 
the register of pharmacists prepared and maintained under Chapter IV of this Act, 
subject to condition that an application to be made in this behalf within a period of 
one year from the commencement of the Pharmacy (Amendment) Act, 2023 and on 
payment of such fee, and in such manner, as may be prescribed by the Government of 
Union territory of Jammu and Kashmir and Administration of Union territory of 
Ladakh.". 


Short title. 


Insertion of new 
section 32C. 


Special provision 
relating to 
persons 
registered or 
qualified under 
Jammu and 
Kashmir 
Pharmacy Act, 
2011. 
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STATEMENT OF OBJECTS AND REASONS 

The implementation of the Jammu and Kashmir Reorganisation Act, 2019 led to 
repealing of various Acts applicable in the erstwhile State of Jammu and Kashmir including 
the Jammu and Kashmir Pharmacy Act, Samvat, 2011 (1955 A.D.) which regulated the 
profession of Pharmacy in the State. Consequently, the Jammu and Kashmir Pharmacy 
Council was re-constituted and the Pharmacy Act, 1948 was adopted in the Union territory 
of Jammu and Kashmir vide Statutory Order dated 5-10-2020 of MHA introducing 
section 32C in the Pharmacy Act, 1948. It is pertinent to mention that it was never actually 


amended in the Pharmacy Act, 1948 but remained a part of the Statutory Order dated 
5-10-2020. The section reads as follows:— 


“32C. Special provisions regarding persons registered under the Jammu and 
Kashmir Pharmacy Act, (Samvat, 2011) (1955 A.D.)—Notwithstanding anything contained 
in section 32, any person whose name has been entered in the register of pharmacists 
maintained under the Jammu and Kashmir Pharmacy Act, 2011 (1955 A.D.) and 
possesses qualification prescribed under the said Act shall be deemed to have been 
entered in the register of pharmacists prepared and maintained under Chapter IV of 
this Act, subject to an application to be made in this behalf within a period of one year 
commencing from 31.10.2020 and payment of such fee as may be prescribed by the 
Government of Union territory of Jammu and Kashmir.” 


2. Similarly, the Pharmacy Act, 1948 was adopted in the Union Territory of Ladakh 
vide Statutory Order dated 23-10-2020 of MHA introducing a section 32C in the Pharmacy 
Act, 1948. It is pertinent to mention that it was never actually amended in the Pharmacy 
Act, 1948 but remained a part of the Statutory Order dated 23-10- 2020. The section reads as 
follows:— 


“32C. Special provisions regarding persons registered under the Jammu and 
Kashmir Pharmacy Act, (Samvat, 2011) (1955 A.D.)—Notwithstanding anything 
contained in section 32, any person whose name has been entered in the register of 
pharmacists maintained under the Jammu and Kashmir Pharmacy Act, 2011 
(1955 A.D.) and possesses qualification prescribed under the said Act shall be deemed 
to have been entered in the register of pharmacists prepared and maintained under 
Chapter IV of this Act, subject to an application to be made in this behalf within a 
period of one year commencing from Ist day of the January, 2020 and payment of such 
fee as may be prescribed by the Administration of the Union territory of Ladakh.”. 


3. This notification created an ambiguity as it did not mention that whether the 
person possessing an approved qualification (medical assistant/pharmacists) under the 
Jammu and Kashmir Pharmacy Act, Samvat, 2011 (1955 A.D.) but could not be registered/ 
did not apply earlier due to some reason has an opportunity to be registered and whether 
the students who were undergoing an approved course leading to an approved qualification 
(medical assistant/pharmacists) for registration under the Jammu and Kashmir Pharmacy Act, 
Samvat, 2011 (1955 A.D.) at the time of enactment of the Jammu and Kashmir Re-organisation 
Act, 2019 and have acquired the said approved qualification (medical assistant/pharmacist) 
can be considered for registration. Hence, arose the need for amendment of section 32C of 
the Pharmacy Act, 1948. In view of the above, the following insertion is proposed in 
section 32C of the Pharmacy Act, 1948:— 


“32C. Notwithstanding anything contained in section 32, any person whose 
name has been entered in the register of pharmacists maintained under the Jammu 
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and Kashmir Pharmacy Act, 2011 or possesses qualification (medical assistant/ 
pharmacists) prescribed under the said Act shall be deemed to have been entered in 
the register of pharmacists prepared and maintained under Chapter IV of this Act, 
subject to condition that an application to be made in this behalf within a period of 
one year from the commencement of the Pharmacy (Amendment) Act, 2023 and on 
payment of such fee, and in such manner, as may be prescribed by the Government of 
Union territory of Jammu and Kashmir and the Administration of Union territory of 
Ladakh.”. 


The above insertion resolves the ambiguity mentioned in the above paras. 


4. The proposed changes have been discussed with the Ministry of Home Affairs 
which had in turn held further consultations with the Department of Health and Medical 
Education of Government of Union territory of Jammu and Kashmir and of administration of 
Union territory of Ladakh. The Governments of both the Union territories submitted the 
draft amendment Bill duly vetted by their respective Department of Law, Justice, and 
Parliamentary Affairs. 


5. The Bill seeks to achieve the above objectives. 


New DELHI; DR. MANSUKH MANDAVIYA. 
The 27th July, 2023. 


UTPAL KUMAR SINGH 


Secretary-General 
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